Storing Passwords When You’re the Client

So now we have four perfectly good password-hashing algorithms we can use. They’re so good it’s tempting to think that we’ve solved password storage for all use cases. Unfortunately, that’s not the case. We can only use these for hashing the passwords of clients that authenticate to us. If we need to authenticate to another system, we can’t use these password-hashing algorithms because they’re one-way only. We can never get the passwords back from a hash. So we’ll need another approach for storing passwords that we need to present to other systems.

Storing passwords on servers

How should we store passwords that are used by our servers to connect to other servers? Perhaps we could encrypt them before we store them on disk. That sounds good, but it ...